add permissions to build.yml #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
# TODO: remove github_actions after we've tested that this works | |
branches: [ master, github_actions ] | |
permissions: | |
id-token: write | |
contents: write | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '10' | |
- name: Install dependencies | |
run: yarn | |
- name: Run Build | |
run: yarn run build | |
deploy: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '10' | |
- name: Install dependencies | |
run: yarn | |
- name: Configure AWS Credentials using OIDC | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
# TODO: retrieve this whole value from github secrets | |
role-to-assume: arn:aws:iam::<ACCOUNT>:role/<UPLOAD_ROLE> | |
role-session-name: github-action-account-link-extension-publish | |
aws-region: us-west-1 | |
- name: Run Deploy | |
run: sh tools/cdn.sh |